Source: curl Version: 7.85.0-1 Severity: important Tags: patch upstream fixed-upstream bookworm Forwarded: https://github.com/curl/curl/commit/0ac6108856b9d500bc376d1d7e0b648d15499837
Dear curl Debianites, I have discovered that curl is not taking OpenLDAP-specific code paths, and is instead using older deprecated functions that are also buggier and less tested in curl. Aside from the obvious security implications, this also means that, to my understanding, there is no support for forcing StartTLS, no support for SASL authentication, and hence credentials might have to be sent in the clear if this is not addressed. This issue also only appears to've affected the Autotools build system. Another bug I ran into---one that still needs fixed in CURL in the non-OpenLDAP code path---is that attributes with binary values are put exactly as-is into the LDIF, which is supposed to be a text file format, and hence the LDIF output is useless. Although there aren't a ton of LDAP CURL users, I think the fix is small, targeted, tested by me, and appropriate for Bookworm, and so I've tagged the bug accordingly. Note that this bug also affects the version of curl in experimental as of this writing. -- System Information: Debian Release: trixie/sid APT prefers testing-debug had a brief chat with Daniel the curl author who said that there are already very few users of LDAP with curl, and seeing as there are no existing Debian bug reports on the matter, one could say APT policy: (500, 'testing-debug'), (500, 'testing'), (2, 'unstable-debug'), (2, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, arm64 Kernel: Linux 6.1.0-9-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER, TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
signature.asc
Description: This is a digitally signed message part
